基于FPGA的TCP无序数据包实时恶意流量检测

IF 3.4 3区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Zhenguo Hu;Hirokazu Hasegawa;Yukiko Yamaguchi;Hajime Shimada
{"title":"基于FPGA的TCP无序数据包实时恶意流量检测","authors":"Zhenguo Hu;Hirokazu Hasegawa;Yukiko Yamaguchi;Hajime Shimada","doi":"10.1109/ACCESS.2023.3323853","DOIUrl":null,"url":null,"abstract":"Currently, with the increasing popularity of high-speed network, in order to protect the network environment, more and more companies start to explore how to efficiently detect malicious traffic. On the software side, traditional detection systems are usually based on CPU which will consume multi-core processing ability to handle huge network traffic. On the hardware side, current researches focus on using specific hardware to offload some functions such as string matching in malicious traffic detection. However, they cannot detect attack behaviors hidden in TCP out-of-order (OOO) packets well, which are very common in modern complex network environments. To deal with this problem, we present an FPGA-based realtime malicious traffic detection method especially to inspect TCP OOO packets. It employs two core function designs for efficient malicious traffic inspection: TCP OOO reassembly and hierarchical packet match. First, the TCP OOO packets are reassembled to in-order packets to prevent the omission check of malicious traffic. Second, we adapt a hierarchical packet match design which can not only detect the packet header and filter the matching traffic, but also has the ability to inspect the carried payload to further determine whether the traffic is benign or malicious. We use Xilinx Alveo U50 accelerator card as the implementation platform to achieve high speed detection. This paper aims to provide a full detection path and implement all the reassembly and inspection process within an FPGA board. We adapt Cisco TRex as the traffic generator to evaluate the system from detection throughput, resource utilization and power consumption. Compared with the CPU-based approaches, the experiment results show that our system has 485% detection throughput increase and 68% average power decrease.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"11 ","pages":"112212-112222"},"PeriodicalIF":3.4000,"publicationDate":"2023-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/iel7/6287639/10005208/10278400.pdf","citationCount":"0","resultStr":"{\"title\":\"Realtime Malicious Traffic Detection Targeted for TCP Out-of-Order Packets Based on FPGA\",\"authors\":\"Zhenguo Hu;Hirokazu Hasegawa;Yukiko Yamaguchi;Hajime Shimada\",\"doi\":\"10.1109/ACCESS.2023.3323853\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Currently, with the increasing popularity of high-speed network, in order to protect the network environment, more and more companies start to explore how to efficiently detect malicious traffic. On the software side, traditional detection systems are usually based on CPU which will consume multi-core processing ability to handle huge network traffic. On the hardware side, current researches focus on using specific hardware to offload some functions such as string matching in malicious traffic detection. However, they cannot detect attack behaviors hidden in TCP out-of-order (OOO) packets well, which are very common in modern complex network environments. To deal with this problem, we present an FPGA-based realtime malicious traffic detection method especially to inspect TCP OOO packets. It employs two core function designs for efficient malicious traffic inspection: TCP OOO reassembly and hierarchical packet match. First, the TCP OOO packets are reassembled to in-order packets to prevent the omission check of malicious traffic. Second, we adapt a hierarchical packet match design which can not only detect the packet header and filter the matching traffic, but also has the ability to inspect the carried payload to further determine whether the traffic is benign or malicious. We use Xilinx Alveo U50 accelerator card as the implementation platform to achieve high speed detection. This paper aims to provide a full detection path and implement all the reassembly and inspection process within an FPGA board. We adapt Cisco TRex as the traffic generator to evaluate the system from detection throughput, resource utilization and power consumption. Compared with the CPU-based approaches, the experiment results show that our system has 485% detection throughput increase and 68% average power decrease.\",\"PeriodicalId\":13079,\"journal\":{\"name\":\"IEEE Access\",\"volume\":\"11 \",\"pages\":\"112212-112222\"},\"PeriodicalIF\":3.4000,\"publicationDate\":\"2023-10-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://ieeexplore.ieee.org/iel7/6287639/10005208/10278400.pdf\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Access\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10278400/\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10278400/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

目前,随着高速网络的日益普及,为了保护网络环境,越来越多的公司开始探索如何有效地检测恶意流量。在软件方面,传统的检测系统通常基于CPU,这将消耗多核处理能力来处理巨大的网络流量。在硬件方面,目前的研究主要集中在使用特定的硬件来卸载恶意流量检测中的字符串匹配等功能。然而,它们不能很好地检测隐藏在TCP无序(OOO)数据包中的攻击行为,这在现代复杂网络环境中非常常见。为了解决这个问题,我们提出了一种基于FPGA的实时恶意流量检测方法,特别是用于检测TCP OOO数据包。它采用了两种核心功能设计来进行高效的恶意流量检测:TCP OOO重组和分层数据包匹配。首先,TCP OOO数据包被重新组装为有序数据包,以防止恶意流量的遗漏检查。其次,我们采用了分层数据包匹配设计,该设计不仅可以检测数据包头部并过滤匹配的流量,还能够检查所携带的有效载荷,以进一步确定流量是良性的还是恶意的。我们使用Xilinx Alveo U50加速器卡作为实现平台来实现高速检测。本文旨在提供一个完整的检测路径,并在FPGA板内实现所有的重组和检测过程。我们采用Cisco TRex作为流量生成器,从检测吞吐量、资源利用率和功耗等方面评估系统。实验结果表明,与基于CPU的方法相比,该系统的检测吞吐量提高了485%,平均功耗降低了68%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Realtime Malicious Traffic Detection Targeted for TCP Out-of-Order Packets Based on FPGA
Currently, with the increasing popularity of high-speed network, in order to protect the network environment, more and more companies start to explore how to efficiently detect malicious traffic. On the software side, traditional detection systems are usually based on CPU which will consume multi-core processing ability to handle huge network traffic. On the hardware side, current researches focus on using specific hardware to offload some functions such as string matching in malicious traffic detection. However, they cannot detect attack behaviors hidden in TCP out-of-order (OOO) packets well, which are very common in modern complex network environments. To deal with this problem, we present an FPGA-based realtime malicious traffic detection method especially to inspect TCP OOO packets. It employs two core function designs for efficient malicious traffic inspection: TCP OOO reassembly and hierarchical packet match. First, the TCP OOO packets are reassembled to in-order packets to prevent the omission check of malicious traffic. Second, we adapt a hierarchical packet match design which can not only detect the packet header and filter the matching traffic, but also has the ability to inspect the carried payload to further determine whether the traffic is benign or malicious. We use Xilinx Alveo U50 accelerator card as the implementation platform to achieve high speed detection. This paper aims to provide a full detection path and implement all the reassembly and inspection process within an FPGA board. We adapt Cisco TRex as the traffic generator to evaluate the system from detection throughput, resource utilization and power consumption. Compared with the CPU-based approaches, the experiment results show that our system has 485% detection throughput increase and 68% average power decrease.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
IEEE Access
IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC
CiteScore
9.80
自引率
7.70%
发文量
6673
审稿时长
6 weeks
期刊介绍: IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信